A vulnerability, which was classified as critical, has been found in Apache Chainsaw up to 2.0.x. Affected by this issue is an unknown code. Upgrading to version 2.1.0 eliminates this vulnerability.
Description:
A de-serialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
Mitigation:
Don’t configure Chainsaw to read serialized log events. Use a different receiver, such as XMLSocketReceiver
Apache Chainsaw
Chainsaw is a Java-based graphical user interface software tool to view and analyze log files. It enables users to analyze logs specifically generated by the Log4j logging system. Chainsaw v2 is a companion application to Log4j and the latest release is Chainsaw v2. Chainsaw and Log4j are Open source projects under Apache Software Foundation.
Chainsaw can be used where it relies on a combination equivalent to view/query/trace via a large trail of logging events. Chainsaw can read local and ssh-reachable regular text log files, as well as log files formatted in Log4j’s XMLLayout. Chainsaw can receive events over UDP and TCP, read events from a database, and can also process events generated by java.util.logging.
Some features of Chainsaw v2:
- View remote events
- Saved Preferences
- Responsive
- Tabs/Docking
- Coloring
- Dynamic and powerful filtering
- Cyclic (can support a Cyclic-based model and is great for monitoring live applications)
- Built-in documentation and tutorial
